HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41724Published Modified CNA vmware

CVE-2026-41724: VMSA-2026-0004: VMware Cloud Foundation Operations updates address multiple vulnerabilities (CVE-2026-41722, CVE-2026-41723 and CVE-2026-41724)

VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.

Metrics

CVSS v3.1
8.0
Severity
HIGH
Fixed in
Affected Products
3

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) in VMware Cloud Foundation Operations allows an authenticated attacker with low-level privileges to inject malicious scripts into policies, views, or text widgets. The injected script executes in the browser of any user who views the affected content, requiring that victim to take no deliberate action beyond normal use of the application. Successful exploitation gives the attacker the ability to perform administrative actions within the application on behalf of the victim, including reading sensitive data, modifying configuration, and disrupting service. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as VMware publishes a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-41724 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream feeds, covering both vendor-supplied and custom-built images derived from affected VMware Cloud Foundation Operations base layers. Any image resolving to a VCF Operations version at or below 8.18.7 is flagged immediately upon scan.

Available
Triage

HarborGuard scores this finding at CVSS 8.0 (HIGH) and is capable of weighting that score against each customer environment's compliance policy to determine actual business priority. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization based on ownership rules configured per registry or workload.

Available
Patch

Because no fix version has been published by VMware, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix appears. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention as soon as a fixed version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable application must be reachable over the network; an attacker submits the malicious payload through normal HTTP/S requests to the exposed web interface.

  • AuthenticationRequired

    A low-privilege account is sufficient; the attacker only needs the ability to create policies, views, or text widgets within the application.

  • Victim interactionRequired

    A logged-in user (typically an administrator) must browse to or render the page containing the injected script for the payload to execute in their browser session.

  • Attack complexityDetail

    Attack complexity is low; no race conditions or special environmental configuration are required to deliver and store the malicious payload reliably.

Blast Radius

  • Reads the victim's active session tokens, cookies, and any sensitive data rendered in the application UI at the time the script executes.
  • Performs administrative actions within VMware Cloud Foundation Operations under the identity of the victim user, including modifying monitoring policies and configuration.
  • Modifies or deletes views, dashboards, and text widgets, corrupting operational visibility for other users.
  • Triggers disruptive in-application actions on behalf of the victim, such as altering alert thresholds or disabling monitoring components.

How HarborGuard Handles This

Available on HarborGuard: because VMware has not yet published a fix for CVE-2026-41724, the platform monitors the upstream advisory on every ingest cycle and will surface a patched-image rebuild the moment a fixed version is released. For customers with auto-remediation enabled, that rebuild will be accompanied by a regression test run and a PR opened against affected workloads with no manual steps required. In the interim, compensating controls are worth considering: network-policy isolation can restrict which internal principals can reach the VCF Operations web interface, reducing the pool of accounts capable of injecting stored payloads; egress filtering on the application container can limit the reach of any script that does execute; and access controls should be reviewed to ensure the policy, view, and widget creation capabilities are scoped only to roles that genuinely require them. HarborGuard will surface the advisory in each customer environment's finding queue at HIGH severity so it remains visible until a fix is applied.

See how HarborGuard automates this
Affected packages
  • VMware / VCF operations
    ≤ 8.18.7
  • VMware / VMware Aria Operations
    ≤ 8.18.7
  • VMware / VMware Telco Cloud Platform
    ≤ 8.18.7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
References